WriteUps
Search
⌃K

You wouldn't steal a /Flag.txt

Website is static page without much functionality, but there is one weird behaviour as it loads some base64 encoded files names.
In the website source code there are two kinds of imports, ones that are encoded in plain english, and one that are encoded in base64.
There are also two different error messages for 404 File Not Found if path starts with assets there are default Flask 404 page.
But if path starts with anything different there is custom Error: 404! message. That indicates there are two different logics for accesing this paths.
When sending data encoded as base64 that utylize basic path traversal thta isn't start with assets there is custom message error.
But when accesing it from any path that starts with assets path traversal works
echo -n 'assets/vendor/purecounter/../../../../../../../../../../flag.txt' | base64 -w0
Last modified 4mo ago